General

  • Target

    6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics

  • Size

    2.9MB

  • Sample

    240516-bbw14sdb58

  • MD5

    6a9aaa3fc23d1561df97e3f9eb2de110

  • SHA1

    d0effad0bad292fb0bcb377cbafacd8db83a474e

  • SHA256

    9ff431f5f1b0f09adff076f71cdfbe91566f3b00f5ea57fc9e4c02aef199a565

  • SHA512

    7350bce60b1a9ffb8ce8c8f98e17ebef7931db0f8a77af7d4dfef0ac02065169ec51734e0602a2be5790e77be9703ea560f3caf640dbaee85fc30e4630912c4c

  • SSDEEP

    49152:P4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:gDKmzjWnC8Wikx1DUN2/Uq

Malware Config

Targets

    • Target

      6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics

    • Size

      2.9MB

    • MD5

      6a9aaa3fc23d1561df97e3f9eb2de110

    • SHA1

      d0effad0bad292fb0bcb377cbafacd8db83a474e

    • SHA256

      9ff431f5f1b0f09adff076f71cdfbe91566f3b00f5ea57fc9e4c02aef199a565

    • SHA512

      7350bce60b1a9ffb8ce8c8f98e17ebef7931db0f8a77af7d4dfef0ac02065169ec51734e0602a2be5790e77be9703ea560f3caf640dbaee85fc30e4630912c4c

    • SSDEEP

      49152:P4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:gDKmzjWnC8Wikx1DUN2/Uq

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks